Analysis Overview
SHA256
779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
Threat Level: Known bad
The file NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Glupteba payload
Glupteba
Detected Djvu ransomware
Djvu Ransomware
Amadey
Vidar
SmokeLoader
RedLine payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Executes dropped EXE
Checks computer location settings
Modifies file permissions
Deletes itself
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Unsigned PE
Creates scheduled task(s)
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-18 18:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-18 18:07
Reported
2023-10-18 18:13
Platform
win7-20230831-en
Max time kernel
151s
Max time network
160s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8B02.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8B02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8B02.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8B02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B510.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BD89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D06E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D06E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2259af8a-cce1-4d72-80ee-fa37b1e9acb5\\8363.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8363.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8B02.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8B02.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2976 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | C:\Users\Admin\AppData\Local\Temp\8363.exe |
| PID 1988 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\B510.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2880 set thread context of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\8363.exe | C:\Users\Admin\AppData\Local\Temp\8363.exe |
| PID 3068 set thread context of 1904 | N/A | C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe | C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BD89.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BD89.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BD89.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BD89.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\8363.exe
C:\Users\Admin\AppData\Local\Temp\8363.exe
C:\Users\Admin\AppData\Local\Temp\8363.exe
C:\Users\Admin\AppData\Local\Temp\8363.exe
C:\Users\Admin\AppData\Local\Temp\8B02.exe
C:\Users\Admin\AppData\Local\Temp\8B02.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A6AD.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\A6AD.dll
C:\Users\Admin\AppData\Local\Temp\B510.exe
C:\Users\Admin\AppData\Local\Temp\B510.exe
C:\Users\Admin\AppData\Local\Temp\BD89.exe
C:\Users\Admin\AppData\Local\Temp\BD89.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\D06E.exe
C:\Users\Admin\AppData\Local\Temp\D06E.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2259af8a-cce1-4d72-80ee-fa37b1e9acb5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\8363.exe
"C:\Users\Admin\AppData\Local\Temp\8363.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8363.exe
"C:\Users\Admin\AppData\Local\Temp\8363.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe
"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe
"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.72.252.139:80 | apps.identrust.com | tcp |
| KR | 175.120.254.9:80 | zexeq.com | tcp |
| MX | 189.169.91.61:80 | colisumy.com | tcp |
| BG | 171.22.28.236:38306 | tcp | |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| KR | 175.120.254.9:80 | zexeq.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
Files
memory/2016-1-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2016-2-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/2016-3-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/1248-4-0x0000000002AA0000-0x0000000002AB6000-memory.dmp
memory/2016-5-0x0000000000400000-0x00000000007CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2976-20-0x0000000002080000-0x0000000002111000-memory.dmp
memory/2976-21-0x0000000002080000-0x0000000002111000-memory.dmp
memory/2976-22-0x0000000002120000-0x000000000223B000-memory.dmp
\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2680-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2680-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2976-31-0x0000000002080000-0x0000000002111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\8B02.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
memory/2628-35-0x00000000001C0000-0x00000000008FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A6AD.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/2628-38-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-39-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-40-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-41-0x00000000755F0000-0x0000000075637000-memory.dmp
memory/2628-42-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-44-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-45-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2680-43-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2628-47-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-49-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-51-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-52-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-50-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-53-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-54-0x0000000076750000-0x0000000076860000-memory.dmp
\Users\Admin\AppData\Local\Temp\A6AD.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/2628-57-0x0000000076750000-0x0000000076860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B510.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
C:\Users\Admin\AppData\Local\Temp\B510.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
memory/2628-63-0x00000000755F0000-0x0000000075637000-memory.dmp
memory/2628-65-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-67-0x00000000770C0000-0x00000000770C2000-memory.dmp
memory/2680-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3056-64-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/3056-69-0x0000000000180000-0x0000000000186000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BD89.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Local\Temp\BD89.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/1248-78-0x0000000002BD0000-0x0000000002BE6000-memory.dmp
memory/1972-79-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/1972-81-0x0000000000895000-0x00000000008A8000-memory.dmp
memory/1972-83-0x0000000000220000-0x0000000000229000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D06E.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\D06E.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3056-88-0x0000000002200000-0x0000000002326000-memory.dmp
memory/3056-89-0x0000000002330000-0x0000000002439000-memory.dmp
memory/3056-90-0x0000000002330000-0x0000000002439000-memory.dmp
memory/3056-92-0x0000000002330000-0x0000000002439000-memory.dmp
memory/3056-93-0x0000000002330000-0x0000000002439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2628-101-0x00000000001C0000-0x00000000008FE000-memory.dmp
memory/1272-115-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1272-114-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1272-112-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1272-110-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1272-109-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1272-108-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1272-123-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1272-131-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2628-135-0x0000000073AA0000-0x000000007418E000-memory.dmp
memory/2680-136-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\2259af8a-cce1-4d72-80ee-fa37b1e9acb5\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1272-144-0x0000000073AA0000-0x000000007418E000-memory.dmp
memory/3012-145-0x0000000000060000-0x000000000006C000-memory.dmp
memory/3012-146-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2628-149-0x00000000001C0000-0x00000000008FE000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1440-155-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/1440-156-0x00000000001A0000-0x0000000000215000-memory.dmp
memory/2628-157-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-159-0x00000000755F0000-0x0000000075637000-memory.dmp
memory/2628-158-0x0000000076750000-0x0000000076860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1440-173-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/2628-174-0x0000000076750000-0x0000000076860000-memory.dmp
\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2628-178-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2680-179-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2628-182-0x0000000076750000-0x0000000076860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2628-175-0x0000000076750000-0x0000000076860000-memory.dmp
\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2628-183-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-184-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-185-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-186-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-187-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-191-0x0000000076750000-0x0000000076860000-memory.dmp
memory/2628-192-0x0000000004A10000-0x0000000004A50000-memory.dmp
memory/2628-193-0x0000000076750000-0x0000000076860000-memory.dmp
memory/1272-194-0x0000000000580000-0x00000000005C0000-memory.dmp
memory/2880-195-0x0000000002030000-0x00000000020C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2880-202-0x0000000002030000-0x00000000020C1000-memory.dmp
memory/2628-203-0x0000000073AA0000-0x000000007418E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8363.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1272-204-0x0000000073AA0000-0x000000007418E000-memory.dmp
memory/2848-205-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2848-206-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f4b14b414bb7d64a8aba0492c4920ebd |
| SHA1 | 7a8463089433ccb9c66a5d49baa69c0009efa069 |
| SHA256 | 692ad14c0599ce59668b08554ec0fb5dbc70fc286bb0f14ca420328d3949760a |
| SHA512 | 0328bdbe490487cdbf5438927e4a2840288c3b664975a795df8f9384f7e8030665c6e3526223a3176dfc02cfbc2a40feb35b74e8d63f8c0282c5d2349dfb38bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 4402a0fc0ec273e2c3bd6a1188700b05 |
| SHA1 | 2c8ff24692967b5ae6a2b827113336b51bfe59d6 |
| SHA256 | 18b75f28d4760e6da2dd7a54f388dfa8576e124acee9fa1127b0ad7be52c51b9 |
| SHA512 | fc105e88cc8c5a785914a2eb6920e4b648db2332e1984e3f61f396562229e89f6a6200859868419664cc5436750a0014934102e618088ccf7c270c13d60b9abf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e768736b9382ad18e2130c34f422cf7 |
| SHA1 | 08bb4f20f55c6f8d5cfab5280dd045f67232a8cf |
| SHA256 | eb57e7b948d15d86feda8ee801c8e419955c1d23190526119e79516b9b64ba9b |
| SHA512 | 007ed2cf0d880db1b4d1a810724e52522170734800f152ba51ff41fdfaec04e31eb0e5c1f9e321b358a48976e483207062fdd267803e4d946ff34557ce33cf48 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 7450e733e6aa21082c642a106b9702b9 |
| SHA1 | 59078c63829f6df95658ef28e1efccdd21a9f445 |
| SHA256 | 1d75d290f6b52f5766736deb1bec22d8ddbe2fbd7317b6e36665f0f341bdb85f |
| SHA512 | 6ba5460b6450a377896d153df5e05601e845ecbd439716df2d521b403d5f79576d728c9decdc445575ab95eb236ad612096ac549cf2c886d6e2f14edca21697d |
C:\Users\Admin\AppData\Local\Temp\Cab55BE.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2848-222-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2848-221-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar5B03.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2271ffb6bc53740d45fd20a6d74b0941 |
| SHA1 | d5d41d15296fe075f36b8eaf821823e642e5f1d6 |
| SHA256 | 1ead14c33c1021270d59a59e342890ba07b5d36782238174c859dca23879791d |
| SHA512 | 83a7ec9167432fe668c6b581b68af6c035a8b6ea366d0df8fc501431541838011dc152a2e66a6d795f5035d70c26a9f2ec8161cc24627df09fd047506987ea37 |
memory/2848-287-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2848-289-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2848-290-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/2168-304-0x00000000000C0000-0x00000000000CB000-memory.dmp
memory/2628-305-0x0000000004A10000-0x0000000004A50000-memory.dmp
memory/2168-306-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2168-307-0x00000000000C0000-0x00000000000CB000-memory.dmp
memory/1272-308-0x0000000000580000-0x00000000005C0000-memory.dmp
memory/1456-311-0x0000000000860000-0x00000000008B1000-memory.dmp
memory/1456-310-0x00000000002D0000-0x00000000003D0000-memory.dmp
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/2848-314-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1484-315-0x00000000000E0000-0x00000000000EF000-memory.dmp
memory/2848-316-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1484-317-0x0000000000860000-0x00000000008B1000-memory.dmp
memory/2544-319-0x0000000000080000-0x0000000000089000-memory.dmp
memory/748-326-0x00000000000E0000-0x00000000000EC000-memory.dmp
memory/2408-329-0x0000000000080000-0x00000000000A7000-memory.dmp
memory/744-334-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2848-344-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2924-346-0x0000000000080000-0x000000000008B000-memory.dmp
\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-18 18:07
Reported
2023-10-18 18:13
Platform
win10v2004-20230915-en
Max time kernel
111s
Max time network
161s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\62BD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\62BD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\62BD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\759D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5F80.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62BD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67FF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\759D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7C46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dc7c59b8-8c2b-47e1-90e4-3d05406bc4c2\\5F80.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5F80.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\62BD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62BD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1392 set thread context of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\5F80.exe | C:\Users\Admin\AppData\Local\Temp\5F80.exe |
| PID 4508 set thread context of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\62BD.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1972 set thread context of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\5F80.exe | C:\Users\Admin\AppData\Local\Temp\5F80.exe |
| PID 2136 set thread context of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\67FF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7C46.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5F80.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\69E4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\69E4.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\69E4.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69E4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\62BD.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9349.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\5F80.exe
C:\Users\Admin\AppData\Local\Temp\5F80.exe
C:\Users\Admin\AppData\Local\Temp\62BD.exe
C:\Users\Admin\AppData\Local\Temp\62BD.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\661A.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\661A.dll
C:\Users\Admin\AppData\Local\Temp\69E4.exe
C:\Users\Admin\AppData\Local\Temp\69E4.exe
C:\Users\Admin\AppData\Local\Temp\67FF.exe
C:\Users\Admin\AppData\Local\Temp\67FF.exe
C:\Users\Admin\AppData\Local\Temp\5F80.exe
C:\Users\Admin\AppData\Local\Temp\5F80.exe
C:\Users\Admin\AppData\Local\Temp\759D.exe
C:\Users\Admin\AppData\Local\Temp\759D.exe
C:\Users\Admin\AppData\Local\Temp\7C46.exe
C:\Users\Admin\AppData\Local\Temp\7C46.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\dc7c59b8-8c2b-47e1-90e4-3d05406bc4c2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 408 -ip 408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 344
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\9349.exe
C:\Users\Admin\AppData\Local\Temp\9349.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\5F80.exe
"C:\Users\Admin\AppData\Local\Temp\5F80.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5F80.exe
"C:\Users\Admin\AppData\Local\Temp\5F80.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3020 -ip 3020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 568
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\9349.exe
"C:\Users\Admin\AppData\Local\Temp\9349.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\kyabiylzsfjo.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.248.8.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 85.209.11.85:41140 | tcp | |
| US | 8.8.8.8:53 | 85.11.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| BG | 171.22.28.236:38306 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.26.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.28.22.171.in-addr.arpa | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d689a5dd-80fc-40c3-846f-57f13a833a9b.uuid.alldatadump.org | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server9.alldatadump.org | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.108:443 | server9.alldatadump.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| IN | 172.253.121.127:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.121.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
| US | 8.8.8.8:53 | 217.192.94.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server9.alldatadump.org | udp |
| BG | 185.82.216.108:443 | server9.alldatadump.org | tcp |
Files
memory/4392-1-0x0000000000800000-0x0000000000900000-memory.dmp
memory/4392-2-0x00000000007E0000-0x00000000007EB000-memory.dmp
memory/4392-3-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/3148-4-0x0000000002990000-0x00000000029A6000-memory.dmp
memory/4392-8-0x00000000007E0000-0x00000000007EB000-memory.dmp
memory/4392-5-0x0000000000400000-0x00000000007CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F80.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\5F80.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\62BD.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
C:\Users\Admin\AppData\Local\Temp\62BD.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
memory/4508-23-0x00000000002A0000-0x00000000009DE000-memory.dmp
memory/4508-24-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-25-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-26-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-27-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-29-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-31-0x00000000773E4000-0x00000000773E6000-memory.dmp
memory/4508-33-0x0000000075230000-0x0000000075320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\661A.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/4508-36-0x0000000075230000-0x0000000075320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\67FF.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
C:\Users\Admin\AppData\Local\Temp\69E4.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Local\Temp\69E4.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/4508-30-0x0000000075230000-0x0000000075320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\67FF.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
C:\Users\Admin\AppData\Local\Temp\661A.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/4528-47-0x0000000000770000-0x0000000000776000-memory.dmp
memory/4528-48-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/4508-50-0x00000000002A0000-0x00000000009DE000-memory.dmp
memory/1392-52-0x00000000024E0000-0x0000000002575000-memory.dmp
memory/1392-54-0x0000000002580000-0x000000000269B000-memory.dmp
memory/4508-53-0x0000000005980000-0x0000000005F24000-memory.dmp
memory/4508-56-0x00000000053D0000-0x0000000005462000-memory.dmp
memory/4764-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4764-58-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F80.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/4508-59-0x0000000005610000-0x00000000056AC000-memory.dmp
memory/4764-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4508-67-0x00000000002A0000-0x00000000009DE000-memory.dmp
memory/4764-68-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\759D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\759D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4508-69-0x0000000005570000-0x000000000557A000-memory.dmp
memory/4508-76-0x0000000075230000-0x0000000075320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7C46.exe
| MD5 | 1ce0912c72e8d0bfa728e6a229b04330 |
| SHA1 | 071804aecef07ef6e2a43cacc9dbacf64a8a2232 |
| SHA256 | b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273 |
| SHA512 | 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e |
memory/3168-81-0x00000000023D0000-0x00000000023D9000-memory.dmp
memory/3168-79-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/4508-83-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-84-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-85-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-86-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-88-0x0000000075230000-0x0000000075320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3168-82-0x0000000000400000-0x00000000007CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7C46.exe
| MD5 | 1ce0912c72e8d0bfa728e6a229b04330 |
| SHA1 | 071804aecef07ef6e2a43cacc9dbacf64a8a2232 |
| SHA256 | b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273 |
| SHA512 | 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e |
memory/4508-96-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-97-0x0000000075230000-0x0000000075320000-memory.dmp
memory/408-102-0x0000000000970000-0x0000000000A70000-memory.dmp
memory/408-103-0x0000000000820000-0x000000000082B000-memory.dmp
memory/408-104-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/3148-105-0x0000000002B90000-0x0000000002BA6000-memory.dmp
memory/3168-107-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/4528-109-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/4528-110-0x0000000000960000-0x0000000000A86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9349.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\Local\Temp\9349.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
memory/4344-116-0x0000000000CF0000-0x0000000000D5B000-memory.dmp
memory/4764-117-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4344-118-0x0000000000D60000-0x0000000000DD5000-memory.dmp
memory/4344-119-0x0000000000CF0000-0x0000000000D5B000-memory.dmp
memory/4528-120-0x0000000002560000-0x0000000002669000-memory.dmp
memory/4528-121-0x0000000002560000-0x0000000002669000-memory.dmp
memory/4528-123-0x0000000002560000-0x0000000002669000-memory.dmp
memory/4412-128-0x0000000000330000-0x000000000033C000-memory.dmp
memory/4412-130-0x0000000000340000-0x0000000000347000-memory.dmp
memory/4412-134-0x0000000000330000-0x000000000033C000-memory.dmp
memory/4528-141-0x0000000002560000-0x0000000002669000-memory.dmp
memory/4344-151-0x0000000000CF0000-0x0000000000D5B000-memory.dmp
memory/3956-153-0x0000000002A10000-0x0000000002E0A000-memory.dmp
memory/4508-154-0x00000000055D0000-0x00000000055EC000-memory.dmp
memory/3956-155-0x0000000002E10000-0x00000000036FB000-memory.dmp
memory/3956-156-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/4508-157-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-158-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-160-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-162-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-164-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-166-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-168-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-170-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-172-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-174-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-176-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-178-0x00000000055D0000-0x00000000055E5000-memory.dmp
memory/4508-180-0x00000000055D0000-0x00000000055E5000-memory.dmp
C:\Users\Admin\AppData\Local\dc7c59b8-8c2b-47e1-90e4-3d05406bc4c2\5F80.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1216-182-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1216-186-0x0000000074510000-0x0000000074CC0000-memory.dmp
memory/4508-187-0x0000000075230000-0x0000000075320000-memory.dmp
memory/4508-188-0x0000000005890000-0x00000000058A0000-memory.dmp
memory/4508-189-0x00000000002A0000-0x00000000009DE000-memory.dmp
memory/4764-191-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F80.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1216-193-0x0000000008580000-0x0000000008B98000-memory.dmp
memory/1216-194-0x00000000076B0000-0x00000000076C2000-memory.dmp
memory/1216-195-0x00000000077E0000-0x00000000078EA000-memory.dmp
memory/1216-196-0x0000000007710000-0x000000000774C000-memory.dmp
memory/3956-197-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1216-198-0x0000000007770000-0x00000000077BC000-memory.dmp
memory/3956-200-0x0000000002E10000-0x00000000036FB000-memory.dmp
memory/3956-201-0x0000000002A10000-0x0000000002E0A000-memory.dmp
memory/1972-204-0x0000000002520000-0x00000000025B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F80.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/3020-205-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3020-206-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3020-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1216-209-0x0000000007FE0000-0x0000000008046000-memory.dmp
memory/3956-210-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1216-212-0x0000000008F20000-0x0000000008F96000-memory.dmp
memory/1216-214-0x0000000008EE0000-0x0000000008EFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tr5gvqvz.grd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3956-234-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/4300-236-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\aidihdd
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/1704-273-0x0000000000CF0000-0x0000000000CFB000-memory.dmp
memory/3056-280-0x0000000000110000-0x000000000011F000-memory.dmp
memory/3260-289-0x0000000000CF0000-0x0000000000CF9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9349.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 4fd6b3a467056385abd8ed1f85da0fa2 |
| SHA1 | 4c42cd69ac787622af8b0748cb72b76911f9ff76 |
| SHA256 | 5e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec |
| SHA512 | 525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6738d1984cdb9f3d4136a1dd7c2bb45e |
| SHA1 | 1b202fa2af82b1f911275cc51e0fcc0911f8c640 |
| SHA256 | b46154e81bff60e4009cb82dd443803d636ea916ddc4e2a63d5f9e5479b348c4 |
| SHA512 | a09f1e1e74a376dac5b8f468bc8bf568950b65f3b616410a804751bd49ca676b57e3785d749b9b0cd52406d5490637e95f6b680ec10041bca4a7faf281e17c0b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6eac15739187cb08cacb633e135bf399 |
| SHA1 | 00aa8b552395a936f4d3a008887f642905aa90e6 |
| SHA256 | 85a9bb156b26b663ae389297208c4465843b1e2aaa3f0011f27068b5823f5df6 |
| SHA512 | 407726a7b90f13cefea78e6890580a008ed54c509fa7f0b785a0bb359cb7b014c699713693c5c7be890cab5bf0cdeafdc5469ef156e38b9a763346dbf08cda08 |
C:\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e808d6a69b8499dcb5b789ca516b5e10 |
| SHA1 | b4f3f350552578169c8f72ec8662104f6f98d58e |
| SHA256 | 23e7333a37381a96709a2691ef61c88fb74eb5f33753efd46cefd099c7172f5b |
| SHA512 | 8b858275b8326f575377a2b4407e8521450c2247dfc8951c3288255f4391374ab0a2001aab6d4e57c403353b04fde5bab1359a0e2ce2a6d4a2a8c37db1aee125 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ba2b24184850e288fa62f8a3bc5fc523 |
| SHA1 | 3ff977e1c25e0095fad9d4ea194e56151c793483 |
| SHA256 | 2cae7fd256ae3088d4efb1c7f3d721f9962938e89823815a66f3202969097ff1 |
| SHA512 | b015c6a9bbaf10b307fd7b00b61bc257ffd4f82241184abcc96062da178dc61740fb97d42ad15c61ecc1a56511a28afb24bdad3704203a8470ecf496af8b1f49 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7c3bdd849e4f8a2070e78062bb1548eb |
| SHA1 | 53b8151fc5403b5c285ae8a68254a733fadc1ef6 |
| SHA256 | 6eb8564491e2603067269bfc6fd63e242536faf5bd989e310528bbbcc0ee2633 |
| SHA512 | ff08b261629fd8a2a03273679ac6ca367f128e8ba8a9144fdc77df4eec156ae98861b44c3ab95a8e250f06b5f07edf27affe4e2a17d1065fc039cc20e5e9309e |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 2d29fd3ae57f422e2b2121141dc82253 |
| SHA1 | c2464c857779c0ab4f5e766f5028fcc651a6c6b7 |
| SHA256 | 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4 |
| SHA512 | 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\TEMP\kyabiylzsfjo.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |